Use of the append_sid function

General discussion of development ideas and the approaches taken in the 3.x branch of phpBB. The current feature release of phpBB 3 is 3.3/Proteus.
Forum rules
Please do not post support questions regarding installing, updating, or upgrading phpBB 3.3.x. If you need support for phpBB 3.3.x please visit the 3.3.x Support Forum on phpbb.com.

If you have questions regarding writing extensions please post in Extension Writers Discussion to receive proper guidance from our staff and community.
Post Reply
TerryE
Registered User
Posts: 95
Joined: Sat May 23, 2009 12:24 am
Contact:

Use of the append_sid function

Post by TerryE »

If you grep "append_sid(" in the source tree then you will see that many URL links within a PHP document explicitly append a SID, despite the use of a cookie to maintain the sid as well. I can't understand the reason for this duplication. OK, I realise that some users can disable cookies and therefore we can't rely on the SID cookie, but if the SID cookie was set on the page invocation, then they haven't for this session.

Embedding the SID in a URL can cause cause undesirable side-effects:
  • Bookmarking the link will fix the sid, and won't work anyway once the session has expired and will require the user to log in again, even if he or she already has a valid session open.
  • Appending the SID to quasi-static items such as style.php and download/file.php frustrates local caching on the browser, since browsers will treat URLs with different SIDs as different items. Such unnecessary repeat downloads are a material % of my aggregate site bandwidth.
  • This introduces security loop-holes if the user publishes the URI or sends it to a colleague as this will mean that the recipient with acquire the senders session context.
Surely we should only append SID if cookies are disabled in the browser?

User avatar
naderman
Consultant
Posts: 1727
Joined: Sun Jan 11, 2004 2:11 am
Location: Karlsruhe, Germany
Contact:

Re: Use of the append_sid function

Post by naderman »

append_sid only appends the session ID when it's not present in a session cookie (yet). So either on the first request where one doesn't know if cookies work yet or if cookies are actually disabled.

So to improve this we can only either drop support for sessions without cookies (which seems normal everywhere else on the web) or try to figure out some javascript hack to avoid having them at all on the first page view.

TerryE
Registered User
Posts: 95
Joined: Sat May 23, 2009 12:24 am
Contact:

Re: Use of the append_sid function

Post by TerryE »

Hummm, I need to look at the code and the apache log analysis, but my current view is that it isn't as simple as that. For example, once the sid parameter is set then it seems to be latched, so that subsequent pages have it, even if the <forum cookie prefix>_sid cookie is return as a request header.

For example such SID triggered redownloads of style.php take up about 5% of my total network bandwidth on OOo. Given that this function has no user or session-specific context other than the style selection which is already a URI parameter, I don't understand why would want to attach a sid to such style links anyway.

User avatar
naderman
Consultant
Posts: 1727
Joined: Sun Jan 11, 2004 2:11 am
Location: Karlsruhe, Germany
Contact:

Re: Use of the append_sid function

Post by naderman »

There are some instances of append_sid calls where the session id in the URL is enforced. For example ACP/MCP pages that require a session id to be present in the URL for additional security. style.php always gets a session id in the url for historic reasons but this is won't be a problem anymore after viewtopic.php?f=84&t=33456

Post Reply